cosign
Safeguard articles tagged "cosign" — guides, analysis, and best practices for software supply chain and application security.
33 articles
Signing Container Images: Cosign, Notary, and Why It Matters
Signing container images cryptographically proves an image came from a trusted build and hasn't been tampered with since — here's how Cosign and Notary do it, and why registries alone can't guarantee that.
Kyverno ImageValidatingPolicy 2026: A Production Walkthrough
Kyverno 1.18 ships ImageValidatingPolicy as the new policy type for cosign signature, attestation, and SBOM verification. We migrated a 60-cluster fleet and graded the new model.
Sigstore Rekor Transparency Log Deep Dive 2026
How Rekor actually works in 2026, the trade-offs of the current Merkle tree design, witness diversity, and the operational realities of verifying inclusion at scale.
What is Image Signing
Container image signing binds a cryptographic signature to an image's digest so you can prove what's running is what was actually built — not just scanned.
Cosign for Container Signing: A Production Setup
A working production setup for Cosign image signing across CI, registries, and Kubernetes admission, including the parts that break at scale and how to recover.
Implementing keyless container image signing with Cosign ...
A hands-on guide to Cosign keyless signing GCP setups with Sigstore, Workload Identity Federation, and Cloud Build — sign and verify images with no key management.
Cosign v2.6: New Bundle Format and Trusted Root
Sigstore's Cosign v2.6 unlocks offline verification, in-toto statement signing, and trusted-root portability. We walk through the new --new-bundle-format flag end-to-end.
Sigstore Cosign Keyless Signing Explained for Teams
Keyless signing swaps long-lived private keys for ten-minute certificates tied to an OIDC identity. How Fulcio and Rekor work, and how to roll it out without breaking deploys.
How to Test Your Signing Pipeline End to End
Build a repeatable end-to-end test harness for your signing pipeline that proves artifacts are signed correctly and that verification fails when tampered.
How to Rotate Build Signing Keys Safely
A step-by-step tutorial for rotating Cosign and GPG build signing keys without breaking existing attestations, verification chains, or downstream consumers.
Cosign Verification Policies in Production
Writing cosign verification policies that actually pass production deployment gates requires more precision than the examples suggest. Here is what we have learned.
AWS ECR Image Signing in Production
Image signing in ECR has moved from nice-to-have to table stakes. Here is what it actually takes to run cosign and AWS Signer in production without breaking every deploy.